At this year’s OpenInfra Summit in Vancouver, there were many sessions geared toward container security. Many talks focused on Kata Containers, ranging from how to enable Kata Containers with Moby to sharing the behind-the-scenes of the Kata 3.0 design.
These sessions took a deep dive into Kata Containers and showed how it is reshaping the landscape of modern computing. Now check out these highlighted talks from the OpenInfra Summit!
Kata Containers is a VM-based container runtime project. It is used to work properly with Moby, at the cost of complex architecture and extra management burdens. As the project developed, such complexity and burden became a blocker to its wider production adoption. As a result, when Kata Containers 2.0 was designed and developed, it was decided that it had to break with Moby in favor of a simpler and cleaner architecture.
Since that pivotal decision, the demand for running Kata Containers with Moby has remained constant, prompting numerous attempts by various developers to achieve compatibility. Peng Tao (Ant Group) and Cory Snider (Mirantis) were delighted to announce that with the latest versions of Moby and Kata Containers, the two projects can once again collaborate effectively.
This presentation offers a retrospective look into the project’s history, shedding light on the challenges encountered, the factors that contributed to temporary setbacks, and the eventual solutions that were implemented. It even features a demo, illustrating how to effortlessly and smoothly run Kata Containers with Moby.
Kata containers provide the baseline isolation and sandboxing for containers; confidential containers bring a new set of security capabilities to achieve your stringent zero trust goals. Together, sensitive data workloads can be isolated from the infrastructure host and Kubernetes control plane to achieve remotely attestable and integrity-protected pods through Azure confidential computing (ACC). Watch Amar Gowda and Michael Withrow from Microsoft as they present a deep dive into Kata Containers and Kata Confidential Containers’ support with AKS and learn about the innovations happening within the community.
Learn More: aka.ms/cocoaks
Last year, Kata Containers 3.0 was released. Meanwhile, Ant Group has updated the deployment to isolate the heterogeneous workloads. However, given the trend of Service Mesh and application runtime (such as dapr), the current Kata can’t deal with the evolved security challenges well.
Thinking of the service mesh scenarios, there are sidecars for the data plane processing in sandbox, thus Kata allows access to the control plane in sandbox. If there are any exploits in it, they may attack the control plane. In short, service mesh breaks Kata’s security boundary and the infrastructure needs to be protected. In the current release cycle, many are working on solving the above issue.
In this presentation, Jieyue Ma and Fupan Li from Ant Group will illustrate the updated threat model in the mesh context and share some prototype designs that move the infrastructure sidecars out of the sandbox. They will also share initial PoC benchmark results.
After the debut of the Kata Container project in 2017, Kata was fast to evolve into a mature hypervisor-based container runtime. Now six years later, Kata Containers 3.0 has been announced. The Kata community hopes to deliver a higher standard of user experience and performance with version 3.0.
Kata 3.0 has the following updates:
- A new built-in hypervisor Dragonball. A customized hypervisor allows us to do multiple optimizations on container workloads.
- A new async rust runtime.
- An integrated design brings an out-of-the-box user experience.
Kata 3.0 is the community version of an in-house developed hypervisor-based container runtime called RunD. RunD is an architecture with a good reputation in both academia and industry field. It has been used in Ant Group’s production environment and in Alibaba’s Cloud serverless platforms. A thesis diving into the RunD design was also accepted by ATC’22.
Ant Group’s, Peng Tao unravels the design of Kata 3.0 and shares everything behind the magic during his session.
- Large Scale Ops Deep Dive: NIPA Cloud | OpenInfra Live Recap - September 21, 2023
- Convesio | An OpenStack Case Study - September 11, 2023
- Zuul Deep Dive: Volvo | OpenInfra Live Recap - September 7, 2023